From 16cd373eb1d92ffd25321cda12ad420c70f042e3 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Tue, 16 Oct 2012 05:09:38 -0400 Subject: [PATCH] Work around the strange behavior of the sssd 'simple' access_provider When a realm is in the allow-permitted-logins mode, but no such logins have been set, the simple_allow_users is empty. sssd treats this as if the line is not present, and allows any login. Setting the value to a comma gets around this problem. Further discussion will take place on the sssd mailing list. https://bugs.freedesktop.org/show_bug.cgi?id=56027 --- service/realm-sssd.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/service/realm-sssd.c b/service/realm-sssd.c index 00b3e8a..81e92d8 100644 --- a/service/realm-sssd.c +++ b/service/realm-sssd.c @@ -74,6 +74,8 @@ sssd_config_change_login_policy (RealmIniConfig *config, const gchar **remove_names, GError **error) { + gchar *allow; + if (!realm_ini_config_begin_change (config, error)) return FALSE; @@ -81,6 +83,18 @@ sssd_config_change_login_policy (RealmIniConfig *config, realm_ini_config_set (config, section, "access_provider", access_provider); realm_ini_config_set_list_diff (config, section, "simple_allow_users", ",", add_names, remove_names); + + /* + * HACK: Work around for sssd problem where it allows users if + * simple_allow_users is empty. Set it to a comma in this case. + */ + allow = realm_ini_config_get (config, section, "simple_allow_users"); + if (allow != NULL) + g_strstrip (allow); + if (allow == NULL || g_str_equal (allow, "")) + realm_ini_config_set (config, section, "simple_allow_users", ","); + g_free (allow); + return realm_ini_config_finish_change (config, error); } -- 1.7.12.1